Safe Harbor in Doubt Following EU Ruling

PUBLISHED:28th September 2015

An opinion delivered this week by Advocate General Yves Bot concludes that the Safe Harbor scheme is invalid.

This article first appeared in the Sunday Business Post, 27 September 2015.

For the past fifteen years, that scheme has facilitated the free flow of data from the EU to US – data which is crucial to tech companies like Facebook and Google.

Edward Snowden's revelations about the US government’s mass surveillance methods, particularly the NSA's clandestine surveillance programme PRISM, were at the root of this week's opinion from Advocate General Bot. The opinion, if followed by the European Court of Justice (ECJ), will potentially have implications for the 4,000 or so companies that rely on Safe Harbor to transfer vast quantities of personal data from the EU to the US.

Facebook Ireland transfers personal data of EU citizens who use its services from Ireland to servers in the US. These data transfers have been sanctioned through the company’s participation in Safe Harbor, a scheme that the European Commission had declared ensured adequate protection of the personal data of EU citizens.

Advocate General Bot’s opinion is that Safe Harbor, rather than protecting personal data, is enabling breaches of EU data protection law and several fundamental rights of the EU’s Charter of Fundamental Rights.

This case arose from the Irish Data Protection Commissioner's (ODPC) refusal to investigate a complaint made by Max Schrems. Schrems, an Austrian law student and Facebook subscriber, complained that Facebook Ireland stores its EU subscribers' personal data in the US without adequate safeguards, contrary to their fundamental rights. In refusing to investigate, the ODPC relied on the legal status of Safe Harbor. Proceedings for judicial review of the ODPC's position were issued in the Irish High Court.

The High Court referred a preliminary question to the ECJ. It asked the ECJ to clarify whether the ODPC, when faced with a complaint, is bound by Safe Harbor or whether the ODCP has the power to conduct its own investigation. Advocate General Bot stressed that the ODPC and equivalent authorities in other EU Member States are “guardians of fundamental rights”, with independent powers to investigate complaints and suspend the transfer of personal data abroad where there is a proven breach of fundamental rights.

According to the Advocate General, companies availing of Safe Harbor have not violated EU law. Rather, Safe Harbor itself is flawed. In his view, data which is transferred to the US is not afforded the same protection as data stored in the EEA. While EU law permits government access to personal data for legitimate counter-terrorism purposes, the Advocate General considered the US intelligence agencies’ surveillance and interception of data to be indiscriminate and overreaching. He stated that there are no assurances that EU citizens’ data will not be accessed by intelligence agencies when not relevant to national security. Further, EU citizens have no effective remedy in the US, as the remedies provided for under relevant US law are granted only to US citizens and legal permanent residents.

The Advocate General concluded that the Safe Harbor scheme is invalid and should be declared as such by the ECJ. Issued ahead of the ECJ’s judgment, the Advocate General's opinion is not binding on the ECJ, but is likely to be persuasive.

The Advocate General was critical of the European Commission for failing to fulfil its obligation to suspend or adapt Safe Harbor following Snowden's revelations. Although the Commission has engaged in negotiations with the US government to reform Safe Harbor, it has not taken any interim measures to ensure protection of EU citizens' data in the US while negotiations are ongoing.

If the ECJ follows the Advocate General’s opinion, Safe Harbor may be suspended, with serious implications for businesses that have been relying on it. Although businesses may consider alternatives to Safe Harbor, such as approved model data transfer contracts or binding corporate rules, they will still encounter the issue of US surveillance.

The Advocate General’s opinion spotlights a conflict that exists between EU data protection standards and US surveillance. This conflict has also been highlighted in another current case in which a US court is considering whether Microsoft can be compelled to comply with a US government subpoena for emails stored in the company's Irish data centre, in circumstances where compliance is not reconcilable with Irish law. These cases will likely add to existing pressure on the US-EU relationship on data privacy.